Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Burp Suiteの便利な機能でバグバウンティ / Burp Suite's useful ...
Search
no1zy
March 11, 2019
5
1.7k
Burp Suiteの便利な機能でバグバウンティ / Burp Suite's useful function
Burp Suite Japan LT Carnivalでの発表資料
no1zy
March 11, 2019
Tweet
Share
More Decks by no1zy
See All by no1zy
バグバウンティ入門してみた /Getting started with Bug Bounty
no1zy
14
4.8k
Featured
See All Featured
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
37
2.6k
Being A Developer After 40
akosma
91
590k
Writing Fast Ruby
sferik
629
62k
StorybookのUI Testing Handbookを読んだ
zakiyama
31
6.2k
KATA
mclloyd
PRO
32
15k
Fireside Chat
paigeccino
40
3.7k
Rails Girls Zürich Keynote
gr2m
95
14k
Build The Right Thing And Hit Your Dates
maggiecrowley
37
2.9k
Large-scale JavaScript Application Architecture
addyosmani
514
110k
Fashionably flexible responsive web design (full day workshop)
malarkey
407
66k
Code Reviewing Like a Champion
maltzj
526
40k
Optimising Largest Contentful Paint
csswizardry
37
3.5k
Transcript
Burp SuiteͷศརͳػೳͰ όάόϯςΟ No1zy
ࣗݾհ • twitter: @no1zy_sec • ใܥઐֶੜ • ৽ถόάϋϯλʔ • ڈͷ֫ಘใۚ૯ֹ
612ສԁ
όάϋϯλʔBurp Suite͕େ͖ The 2019 Hacker Report
Կ͕ศརʁ • Web Penetrationʹඞཁͳػೳ͕ॆ࣮͍ͯ͠Δ • Pro൛Ͱར༻Ͱ͖Δػೳ͕ڧྗ
հ͢Δศརػೳ 1. Burp Collaborator client 2. Find Script 3. Analyze
target શͯPro൛ͷΈͰར༻Ͱ͖Δ
1. Burp Collaborator client
Burp Collaborator client • ֎෦ͷͪड͚αʔόʔͱͯ͠ͷׂΛ࣋ͭ ػೳ • Out-of-boundͳ௨৴͕ൃੜ͢Δ߈ܸΛൃݟ͢ Δͱ͖ʹ༗ޮ •
DNS, HTTP/HTTPS, STMP/SMTPSʹରԠ
͍ํ 1. Burp > Burp Collaborator clientΛΫϦοΫ
͍ํ 2. Copy to clipboardΛΫϦοΫ
͍ํ $ curl http://fn6i69eh10k070ymmdjzeicppgv6jv.burpcollaborator.net ଓςετ
͍ํ • ϦΫΤετΛ֬ೝ͢Δ
SSRFͷςετྫ GitLabͷϦϙδτϦΠϯϙʔτػೳ
SSRFͷςετྫ ίϯςϯπΛऔಘ͢ΔΑ͏ͳϦΫΤετ͕ ൃੜ͢ΔػೳɺSSRF͕Մೳͳ߹͕͋Δ
http://127.0.0.1:22 SSRF Payload
SSRFͷςετྫ Ϩεϙϯε
http://127.0.0.1:4444 SSRF Payload
SSRFͷςετྫ Ϩεϙϯε
ΤϥʔϝοηʔδͷࠩҟΛ ར༻ͯ͠ϙʔτεΩϟϯ͕Մೳ
None
2. Find Script
Find Script • JavaScriptϑΝΠϧΛऩू͢ΔతͰ༻͢Δ • APIΤϯυϙΠϯτͷൃݟɺAPIΩʔͳͲͷػ ີใɺ੬ऑੑʹͳΓಘΔίʔυͷൃݟͳͲ ʹཱͯΔ͜ͱ͕Ͱ͖Δ
͍ํ 1. Engagement tools > Find scriptsΛΫϦοΫ ͏s
͍ํ • JavaScriptϑΝΠϧ͕Ϧετ͞ΕΔ
͍ํ • Export scriptsͰϑΝΠϧʹநग़Ͱ͖Δ
APIΤϯυϙΠϯτͷಛఆ 1. JavaScriptίʔυ͕ଘࡏ͢ΔURLΛऩू 2. JSParserͳͲͷπʔϧΛ༻͍ͯAPIΤϯυϙ ΠϯτΛಛఆ͢Δ
JSParser
1. JavaScriptίʔυ͕ଘࡏ͢ΔURLΛऩू 1. Find ScriptͰURLΛϦετ͢Δ 2. Copy selected URLsΛΫϦοΫ
HistoryͷϑΟϧλϦϯάػೳͰ༻Մೳ 1. Proxy > History > ϑΟϧλʔઃఆΛ։͘ 2. Show only
ʹνΣοΫ͠ js ͱೖྗ
HistoryͷϑΟϧλϦϯάػೳͰ༻Մೳ 3. ΞΠςϜΛશબ͢Δ
HistoryͷϑΟϧλϦϯάػೳͰ༻Մೳ 4. Copy URLsΛΫϦοΫ
2. APIΤϯυϙΠϯτΛಛఆ͢Δ 1. ίϐʔͨ͠URLΛషΓ͚ 2. JSParseΛΫϦοΫ
৽ͨͳϦιʔεΛಛఆ͢Δ͜ͱͰ੬ऑੑΛൃݟ Ͱ͖Δ֬Λ্͛Δ 2. APIΤϯυϙΠϯτΛಛఆ͢Δ
3. Analyze target
Analyze target • Ͳͷύϥϝʔλ͕Կճ༻͞Ε͍ͯΔ͔Ѳ Ͱ͖Δ • ੬ऑੑͷԣల։ύϥϝʔλϕʔεͰ੬ऑੑ Λ୳͍ͨ࣌͠ʹ༗ޮͳ߹͕͋Δ
͍ํ 1. Engagement tools > Analyze target ΛΫϦοΫ
͍ํ ղੳ݁ՌΛ֬ೝ͢Δ
Happy Hunting!